Posted by: David Scott
securing data, security officer, security policies, security practices, security prism, securtiy policy, sensitive information
There’s been quite a bit of churn in the news lately about government surveillance of the internet and phone calls. The PRISM program seems to point to a massive government pry into private data by the National Security Agency and other government entities.
I’ve read the claims that “spying” includes eavesdropping on private phone conversations, and the opening of private data and communications on the internet. However, according to the president, “No one is listening to the content of people’s phone calls.” Rather, the official word seems to be that the U.S. government is collecting “metadata”… phone numbers, duration of calls, participants, and… well, I’m not sure I caught it all, but other “attribute” type features of calls – not the actual content of the calls – at least according to the president, attorney general, and other government officials – as of the day I was catching this. However, one should never make the mistake that metadata and content/data are mutually exclusive. They are not. More on that in a bit.
According to James Clapper, Director of National Intelligence, in a statement released June 6th, a court order is necessary to “query” data:
“The court only allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization.”
Being that the term “data” is used, vice “metadata,” in the statement above, the implication again seems to be that the content of calls is not being accessed, absent the strict necessity of a court order, as granted upon “reasonable suspicion” of terrorist activity.
In all of these regards, it might be wise to revisit a simple definition of “metadata.” What does I.T. Wars have to say about it? Well, metadata is simply data about data. Simple enough.
Therefore, most IT and business folks – those who are near the stream of records management – know that a solid set of metadata almost always includes elements of content – in the form of high-value keywords for example (in augmenting a mere collection of record attributes). After all, a database of record names, (call participants), positions on a clock (of call initiation), duration (of call), and other dry stuff like that is pretty meaningless. How is anyone supposed to ascertain if a particular phone conversation, or content of something on the ‘net, is worth prying into from a terror/public safety perspective? It cannot always be strictly based on the who of call participants, etc. …
What sort of content/data feeds a metadata template? There’s certainly an algorithm paired with a data dictionary of buzzwords/phrases for stripping high-value keywords and phrases out of calls and internet content, adding them to the records set; so that human eyes can focus and dig where interest deems that necessary. Bet.
The Wall Street Journal reports that collection activity and the scope of the surveillance is much wider than has previously been known. The NSA has been collecting phone records from more than just Verizon, as originally understood, and includes at&t and Sprint/Nextel also. The agency has also cataloged credit card transactions. PRISM gives the NSA and FBI access to servers run by AOL, Apple, facebook, Google, Microsoft, skype, Yahoo!, YouTube, and paltalk. [Update: The Week reports: Analysts at the National Security Agency can now secretly access real-time user data provided by as many as 50 American companies, ranging from credit rating agencies to internet service providers, two government officials familiar with the arrangements said.]
The Washington Post obtained a document that revealed that this allows the government to collect audio and video chats, photographs, e-mails, documents, and connection logs to track potential terrorists.
Jonathan Turley, of George Washington University, says that all of our communications are being fed into a massive data bank that the government has access to – and that it’s a major violation of privacy.
The thwart of terror, and apprehension of the progenitors of terror, will require methods that are frequently intrusive – particularly by past standards – but it is important for Americans, and particularly people at the technical/business points of privacy, to understand where this is all going. Be positioned to speak within your respective organizations to staff regarding expectations of privacy (or lack thereof). Further, IT and business leaders must be positioned to discuss their organization’s standing vis-à-vis government surveillance with outside clients and partners – even if only to surmise that standing by best guess. Why? Because questions are going to come – and you’d better occupy a reading on the scale above “Ignorant.” Understand that we’re not talking about the routine oversight of Federal standards that apply to normal business contexts: Oversight of physician office labs, for example, in certifying them as compliant with Federal standards – stuff like that. Rather, we’re talking about the pry about, or into, records that has been wholly unanticipated until now.
What will you say to a client who asks, “Does your organization occupy any special new category of oversight by Federal authorities? Does the data you harbor regarding our organization, as one of your clients, come under any sort of review or intrusion by virtue of our association with you?” And… your answer is?… Be aware that your answer(s) will involve your legal affairs office/legal representation. Governance and leadership should begin getting some understandings and structures in place now.
Again, don’t make the mistake that metadata and content/data are mutually exclusive (irrespective as to how your org treats them). They are not. Metadata can be anything you deem it to be: It can include critical content, and that’s important for privacy advocates, civil libertarians, business leaders, IT leaders, and indeed all Americans, to know as these discussions, reviews, and adjustments go forward.
Pay attention. :^ )
NP: Eddie Money, Life for the Taking.